blvdone - Fotolia

Manage Learn to apply best practices and optimize your operations.

Open source software security: Who can you trust?

Fears of backdoors and heightened concerns about encryption software are running rampant.

This article can also be found in the Premium Editorial Download: Information Security magazine: Application security policy after Heartbleed:

Cybersecurity remains a top source of contention between the United States and China.  As a result, U.S. technology companies have increasingly faced market pressures in China as local suppliers capitalize on the cyber uncertainty.

In addition to lower costs, Chinese server supplier Inspur Group Ltd. is banking on the specter of Edward Snowden to increase its market share in China. Snowden's legacy of doubt is still floating around and fanning government concerns about NSA surveillance and possible backdoors in the technology sold by U.S. companies. IBM, Hewlett-Packard and Microsoft are among the tech giants that have faced hurdles in China.

Chinese government officials raided Microsoft offices in Beijing, Shanghai, Guangzhou and Chengdun in July in an ongoing antitrust probe. They “banned” Windows 8 on PRC government systems for “security reasons” in May, amid speculation that the move was driven in part by the official end of Windows XP support.

And yet these safeguards should come as no surprise. In March, reports surfaced that linked the NSA to surveillance of the Chinese Trade Ministry, specific officials and network equipment supplier Huawei. According to leaked documents, the NSA had gained access to email archives and even source code for specific Huawei products.

Fears of backdoors and heightened concerns about who to trust are running rampant, and not just between China and the United States. The security audit of the open source file-and-disk-encryption utility TrueCrypt was a step in the right direction, but the information security industry needs to do more, according to Robert Richardson, editorial director of SearchSecurity. “Whether TrueCrypt is fit to use or not, its audit and demise raise key questions about security in open source software,” he writes in his thought-provoking column “Open source needs serious security help.”

As open source code faces increased scrutiny, information security professionals would do well to heed the lessons of Heartbleed.

Open source code faces increased scrutiny, and information security professionals would do well to heed the lessons of Heartbleed, agrees Michael Cobb, SearchSecurity's respected authority on application security. “As the Heartbleed flaw in the OpenSSL cryptographic software library has shown, relying solely on others to correctly implement and deliver security can put enterprise and customer data at risk,” advises Cobb, in this month's cover story on application security post-Heartbleed.

The success of open source software hinges on “trusting” the development community. The abrupt end of TrueCrypt's development in May was also attributed, on SourceForge, to “potential security issues” after Microsoft's termination of Windows XP support, in part because later versions of Windows offer built-in support for encrypted disks.

But is that really what happened? If the answer is based on trust, most of us will never know.

About the author:
Kathleen Richards is the features editor of Information Security magazine. Follow her on Twitter @RichardsKath.

Send comments on this column to feedback@infosecuritymag.com.

This was last published in September 2014

Dig Deeper on Open source security tools and software

PRO+

Content

Find more PRO+ content and other member only offers, here.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

  • CIO Trends #6: Nordics

    In this e-guide, read how the High North and Baltic Sea collaboration is about to undergo a serious and redefining makeover to ...

  • CIO Trends #6: Middle East

    In this e-guide we look at the role of information technology as the Arabian Gulf commits billions of dollars to building more ...

  • CIO Trends #6: Benelux

    In this e-guide, read about the Netherlands' coalition government's four year plan which includes the term 'cyber' no fewer than ...

Close